Apple Hit By Hackers Who Targeted Facebook 148
snydeq writes "Apple was recently attacked by hackers who infected the Macintosh computers of some employees, the company said on Tuesday in an unprecedented disclosure that described the widest known cyber attacks against Apple-made computers to date, Reuters reports. 'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday. ... A person briefed on the investigation into the attacks said that hundreds of companies, including defense contractors, had been infected with the same malicious software, or malware. The attacks mark the highest-profile cyber attacks to date on businesses running Mac computers.'"
Hackers reported that the malware "just worked." (Score:5, Funny)
Thank you folks, I'll be here all week.
Re:Hackers reported that the malware "just worked. (Score:4, Insightful)
Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.
Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.
Sure IT may get an increase in calls at the start, but it is worth it in the long run.
Re:Hackers reported that the malware "just worked. (Score:5, Informative)
Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
That was a bit quick to jump to conclusions:
Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.
"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."
Source: http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/ [arstechnica.com]
Smaller subset than you would think (Score:3)
any engineer who visited the site and had Java enabled in their browser would have been affected
It seems like not many Mac developers would have been affected - because (1) you have to specifically install Java, and (2) as the response from Apple states Java (in the browser) is disabled if you do not use it for 35 days...
But it would be great to know the sites involved so we would know if we were at risk.
Re: (Score:2)
I have Java enabled on my Mac in the browser. Not because I want it enabled, mind you, but because IT requires it to be enabled because some of the software IT requires demand the Java plugin under non-Windows operating systems. (This also kills the plan I use under Windows of using 32-bit Firefox and only the 64-bit JDK, which means I get the JDK I need for my job but not a Java plugin that even can run in my browser.)
Since the only reason I have a Mac in the first place is to work on a completely useless
Re: (Score:2)
By making it harder to "phish" people, they must use other means which potentially expose them much easier than an email spam campaign.
It also points out the problem with complex coding platforms like Java.
As I never liked Java because of many other factors, this is just icing on the cake to my issues with it. Java is terrible.
Re: (Score:1)
Perhaps in this case it was a targeted site that was compromised, but the point still stands. By making it harder to "phish" people, they must use other means which potentially expose them much easier than an email spam campaign.
No, your point does not stand. You were blaming the stupid users with too much time browsing porn sites or whatnot as well as the corporation that did not train them properly.
There isn't much you can do against a browser plugin silently executing malicious code planted into a normally harmless popular website. No matter how knowledgeable were the respective FB developers, if the cited information is correct and complete, there was no way he they could have avoided the problem except by having java block
Re: (Score:2)
Why does everywhere seem to be keeping the identity of the site in question top secret?
That's rather unacceptable, as many other developers using said site could also have been impacted.
This helps no one other than the admins of a site who failed to properly secure it and they shouldn't have right to anonymity of their site when others may well be at risk.
Re: (Score:2)
Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.
Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.
Sure IT may get an increase in calls at the start, but it is worth it in the long run.
Riiiigth. [slashdot.org]
Re:Hackers reported that the malware "just worked. (Score:5, Insightful)
But...they were using Apples. Everyone knows that the Apple OSs can't be hacked. So it is perfectly OK to click on any link that strikes ones fancy. Isn't it?
You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.
Re: (Score:2, Insightful)
Re:Hackers reported that the malware "just worked. (Score:5, Informative)
Being cross platform still means it affected Macs. So the GPs tirade against the idea that Macs are immune to malware is valid. The GP was not claiming that other systems were immune to it.
No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware. Even totally clueless 'drone' type users don't assume that. I know because a friend of mine has a small Apple shop and people regularly show up at his dealership and ask about infection risks on OS X and half the time they walk out with a free info booklet on malware and having bought a basic anti malware suite (he installs and configures it for free). This guy is just another nerdy zealot venting his irrational hatred of all things Apple. That "OS X is immune to malware and h4x0rs" mantra is so old it has whiskers on it and regurgitating it makes him just as lame as those sad plonkers who still spell Microsoft with a $ sign.
Re: (Score:1)
Re: (Score:2)
Reply to undo Mod.
Re: (Score:2)
Re: (Score:3, Interesting)
No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware. Even totally clueless 'drone' type users don't assume that. I know because a friend of mine has a small Apple shop and people regularly show up at his dealership and ask about infection risks on OS X and half the time they walk out with a free info booklet on malware and having bought a basic anti malware suite (he installs and configures it for free). This guy is just another nerdy zealot venting his irrational hatred of all things Apple. That "OS X is immune to malware and h4x0rs" mantra is so old it has whiskers on it and regurgitating it makes him just as lame as those sad plonkers who still spell Microsoft with a $ sign.
Come to my company. We have many users with Apples at home that swear to me that their Apples cannot get viruses, malware, hacked, etc... They all want to use them on the company network.
Re: (Score:2)
No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware.
Actually, Macs claim that they are immune to PC Viruses. [youtube.com]
Re:Hackers reported that the malware "just worked. (Score:5, Informative)
You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.
A few years ago, when Apple shipped iPods with Windows Virus they said "As you might imagine, we are upset at Windows for not being more hardy against such viruses... [apple.com]". So now they now should be upset with themselves.
Actually, before you ripped it out of context, the full quote was: "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it." So even at the time they admitted they were upset with themselves even though they could't help but take a shot at Microsoft for reasons that have to do with events that took place while you were probably still in diapers. Come to think of it I could fill a book with snide comments by Linux Fanbois about Windows security made on this forum, comments that ignore the fact that there is way more malware targeted at Windows than there malware targeted at Linux. If you take that into account Microsoft is doing a pretty good job on security, snide comments by Apple Marketing drones and Slashdot Linux fanbois not withstanding.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
To be clear, she makes her connections on the internet. She makes her money on her knees. At least that's what I heard from kutahuja's mom.
There is no OS-based security. (Score:1, Interesting)
Among my computers is a windows machine. I have no fear of being compromised because it has no exposed ports, a safe browser, and all 3rd party plugins disabled until I activate them.
I also have an android phone, and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything. It has nothing to do with the underlying safety of the system, but always the weakest link the chain.
Re:There is no OS-based security. (Score:4, Informative)
AdBlock runs just fine on an Android phone, in case you didn't know. I put it on mine pretty much the day I got it.
Re: (Score:2)
Chrome for Android is safe. Plugins are click-to-play and you can even disable Javascript. Adblock is available for Android and all apps run sandboxed. It is basically as safe or better than your desktop, the biggest vulnerability being user stupidity.
Re: (Score:1)
Re: (Score:2)
There are things to do to help mitigate chances of malware on Android, especially if one has root:
1: There are AdBlock-like utilities available for Android which can actively firewall, add hosts entries, or block on the app layer.
2: For older versions of the OS, there used to be an app called LBE Privacy Guard, which would prevent apps that wanted full kitchen sink perms from being able to do their dirty deeds.
3: Some Android ROMs allow permissions to be edited. That way, an app wanting all and sundry m
Re: (Score:3)
a safe browser
A what?
Web browsers are complex software, I would say on about the same level as Oracle's Java implementation, or the Flash plugin. The ones in common use are all written in C++, which is perfectly capable of expressing programs with exploitable security holes in them. I would say that the probability that your web browser is free of exploitable holes is about the same as the probability of that being true of Java or Flash. In other words, I hope waking up from that dream won't be too harsh.
Re: (Score:2)
He turns off Java, Flash, ActiveX, etcetera until he decides it is important to have one of them on.
And acts like this will stop him from getting a java/flash/activex malware.
It won't.
Re: (Score:2)
How exactly is software that doesn't run going to get exploited, pray tell? Objects dependent on any code outside firefox are replaced with plain-boring html until I click-to-run them, which is the only time their associated libraries get loaded into memory at all.
Re: (Score:2)
Seriously?
It'll get exploited when he is running it.
Re: (Score:2)
He being me, just for reference. The vast vast vast vast majority of malware infections come from sites you never intended to visit: domain squatters, advertisers working with shady sites, SEO space-wasters, bogus links. I only run 3rd party software I actually have reason to trust.
Facebook (Score:1)
compromising your privacy and security since 2004...
Re:Apple users (Score:5, Informative)
I used to do Mac support and have spent plenty of time removing viruses from the old Mac System 6/7/8/9.x machines. I have never seen a Mac OSX virus 'in the wild'.
Like any other form of security theatre, if you go long enough without being attacked, you get alert fatigue and begin to consider the threat negligible or non-existent and begin to consider yourself immune. I don't even have an anti-virus software on my home computers and would probably need to hear about a mass outbreak before I would consider installing any given my experiences of the performance hit windows machines seem to take when running anti-viral software.
I used to swear by McAffe or Norton's, now I consider them potentially worse than half the malware out there for how they turn a perfectly good machine to molasses.
Macs don't get viruses (Score:1, Funny)
I suspect this is an elaborate hoax perpetrated by Microsoft or possibly Google.
Re: (Score:1)
I suspect this is an elaborate hoax perpetrated by Microsoft or possibly Google.
In a week or two, someone finally manages to throw back the curtain to find... *gasp*.... THE ORIGINAL NEXT CUBE TEAM, back for revenge?!?
"You thought you were rid of us, didn't you? Jobs thought that, too. And Jobs forgot to buy US out! We're here to take back what's ours!"
Java in the Browser? (Score:2)
'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers"
I thought Apple disabled Java in the browser months ago?
Re: (Score:2)
They block individial versions which are known to be vulnerable. New versions are not blocked unless they are also found to be vulnerable. And if you absolutely want to run a vulnerable version you can just activate it yourself.
Re: (Score:2)
They block individial versions which are known to be vulnerable.
At this point in history, can't we assume that's "all of them" and start whitelisting?
You can sense the glee in the writeups... (Score:2, Insightful)
This is such a delicious day for the tech "press" because despite their constant barrage of warnings to the contrary, Apple viruses have been pretty much non-existent. Sure, OS X has had some vulnerabilities, but they were generally in various Unix packages and daemons, and those same problems generally affected Linux and BSDs and Solaris and so forth.
Anyway, my question: who the hell uses Java as a browser plugin anyway? On my rigs, it is disabled and has been for years. It's still installed (unlike Fl
Re: (Score:2, Informative)
Any IT worker that has to deal with:
EMC SAN Management
Brocade SAN Switch Management
Citrix Netscalers
Various random pieces of network equipment with horrible GUIs
etc, etc, etc.
If a device has a web gui that is doing anything remotely complicated, 99% chance it will require Java. Bonus points if it requires an ancient old version to work.
Re: (Score:1)
Don't those products all support terminal controls over SSh as well?
Yeah, though, e state of "enterprise" management tools is pretty sad. These devices go for tens of thousands to perhaps even millions of dollars a pop, and the management software / GUI control options seem like they were created for people who failed elementary school.
Re: (Score:2)
If given the choice of command-line SSH tools versus a broken Java-based web UI, just give the SSH tools. One can write a front-end if they really felt like it then.
To boot, why is Java even needed these days on the client end? HTML5 + Javascript can do a lot. I can generate RSA keys using JS using aSSL.
Re: (Score:1)
It's not needed, it's just momentum. After all, the CIO knows from reading Gartner reports that Java is "enterprise-ready" and so that's good enough for him!
Re: (Score:2)
The ironic thing is Java had its chance. Had Sun/Oracle did it right, there would have been no need for Flash or Shockwave, no need for HTML5, and perhaps no need for any other browser extensions, period.
The fact that a JVM != a JVM is one of the things that killed Java as a usable platform. Had there been some consistency where code running under IBM's JVM would work without issue on Oracle's or Microsoft's, or just even between versions, Java would likely be a must have on today's desktop.
I wish Oracle
Re: (Score:1)
I'll go one further for you: Had Sun done it right, there would be no need for Windows or the Macintosh or Android at this point. Java was designed ultimately so that the virtual machine could be swapped out for an actual machine without changing the software and without the user noticing at all. It was supposed to be beautiful, something that would be software and / or hardware agnostic, that would be running on our spaceships 3000 years from now.
If they would have stuck to the idea of having one unifie
Re: (Score:2)
Nail, head, hit. It would be a nice world where one didn't have to worry about the underlying architecture, and it could be designed for specific tasks.
For example, one set of CPUs would be designed to run bytecode as energy efficiently as possible. When CPU load goes over a threshold, the JVM is passed to another CPU/core set which is optimized for performance. Once the CPU is back under a threshold for a certain amount of time, it goes back to the watt-saver dies.
Done right, improvements with computers
Re: (Score:1)
wtf, IBM JVM is real fine, you must be talking about WebSphere version 7 and below. I tried to crash a spring webflow application on tomcat 7 running on the linux 64bit jdk1.7 j9 jvm. And my testing tool crashed at 893 simultaneous user, but the tomcat was only using 168Mb but the system had a load of 187 and the request service time climbed to 30sec but all request were correctly served. I tried a similar benchmark against a simpler php application and I had to use ulimit -n 4096 before it stopped crashing
Re: (Score:2)
Correct me if I'm wrong but isn't Java included with the OS? Last time I installed MacOS (IIRC it was Leopard) Java was there and required me to install multiple updates (and reboot after every one). The updates were in the system updater app along with all the OS and Apple app updates.
Not only not included, disabled later too (Score:3)
Correct me if I'm wrong but isn't Java included with the OS?
No, you have to download and install it.
And even if you do that, if Java is not used for 35 days the system disables it.
Now THAT's how to handle Java so most people will not get burned...
Re: (Score:2)
Re: (Score:2)
Anyway, my question: who the hell uses Java as a browser plugin anyway?
Enterprisey bullshit: HR/time tracking apps, medical apps, CRM, and so on...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Anyone who has to use Oracle forms.
Here's what Apple said on their website (Score:5, Funny)
Re:Here's what Apple said on their website (Score:4, Insightful)
And Apple responds quickly to online threats and automatically delivers security updates directly to your Mac.
I'm sure you're trying to make a point with this post but the thing is that quote is accurate. Especially the last sentence. You see, Apple identified the security issue (third party Java plug ins) and have already released an update that deals with the problem. They didn't wait weeks (or months...) - they responded to the online threat quickly.
So, while I can guess what point you were trying to make with your post, I must say I don't think you quite succeeded...
Java 6 SE vs Java 7 SE ? (Score:1)
I am's be wonderin'
I never installed it, just running the good ole' Java 6 SE which lets me run all the crap the interwebs brangs forth towards me.
Is there an App for that? (Score:1)
Yes.
WHAT popular mobile developer Web forum? (Score:2)
"compromising the server of a popular mobile developer Web forum"
So far, all of the press reports and statements from those compromised have left off the most important bit of information: WHAT "popular mobile developer Web forum" was used?
One would imagine this would be important information to disseminate to developers...
Re:WHAT popular mobile developer Web forum? (Score:5, Informative)
Re: (Score:2)
Thanks - that's one.
If StackOverflow were also infected at any point, then I would start to be concerned... that's the primary site developers use.
Re: (Score:2)
Where's Nancy Reagan when we need her? (Score:3)
Just say NO to Java.
Re: (Score:2)
Just say NO to Java.
Just say no to Java in the browser. It's ugly, it's resource-hungry, it's insecure. Java's OK for implementing other types of applications, especially server-side, where the security exposure surface profile is rather different, but the browser plugin part has just been trouble for years. (I've had it disabled for years too, along with Flash, not as a security measure but rather to stop excessively annoying ads and other low-value embedded content.)
Re: (Score:2)
Do you think Nancy Reagan would know that difference?
Soimething doesn't make sense though.... (Score:2)
Re: (Score:2)
Because spamming has relatively low penalties.
Attack a defense contractor and you have several problems. First is network security - classified stuff is probably on the airgapped network that you can get on, but it's difficult to get off of. Second, you have people monitoring such things and the likelihood
What does it do? (Score:2)
I can't find any reference to what the attack actually does. Does it crash the machine? Erase the hard drive? Cause ugly pop-ups? Spam email?
Apple Hit By Hackers Who Targeted Facebook (Score:2)
Sounds like their aim needs some practice.
Obligatory (Score:2)
This wouldn't have happened if Steve was alive!
OpenJDK? (Score:3)
"This is a new campain" (Score:1)
Re: (Score:1)
They hired Robert T. MORRIS.
Re: (Score:3, Informative)
According to TFA the eploit was in Oracle's version of Java, a third party product that was installed on the machine. Hardly something that the OS could be blamed for.
Re:That's Impossible! (Score:5, Insightful)
Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.
And, unless the attack affects one user account only... They are right. That goes for Windows, MacOS, Linux, *BSD, and INSERT_ANY_OTHER_FSCKING_OS_HERE
Re: (Score:1)
Re: (Score:2, Insightful)
And, unless the attack affects one user account only...
If the goal is to penetrate a company's systems, one user account is all you need. From there you can get the credentials to get to the juicy stuff.
Multiuser OSes essentially only protect the system files. Guess what? Hackers don't care about your system files. They want your user data.
Re: (Score:2)
Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.
Well, that's what they are doing with iOS. However some people have objections about that as well.
Re: (Score:2)
There was a time that a HUGE number of exploits existed against Windows itself (or IE, which is part of Windows), and an equal number of exploits existed against other major MS products s
Re: (Score:2)
Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.
That's because the attacks are usually around IE or open ports. So of course people would blame the OS for the security failure.
If the attacks are "usually" around IE or open ports, when was the last such attack?
Re:That's Impossible! (Score:5, Informative)
Well, not having the details at hand (although I did RTFA), it seems that the OS allowed a user app to corrupt the system.
So, yes, I can blame it on the OS. Java may have been the initial vector that allowed the malware entry to the system, but the OS allowed the malware to do things it shouldn't have been able to.
Re: (Score:2)
Well, to play devil's advocate -- does the install of Java end up bypassing some of the security?
I see a lot of stuff which doesn't want to install into user space, but wants Admin rights and wants to integrate tightly with other things. At which point, installing what should be trusted software is really just openi
Re: (Score:1, Insightful)
Introducing the new Viri virus scanner, for only $30 it will prevent all infections and coo to you while it does it!
Scan different
Re: (Score:2, Informative)
Yes, Unix is secure by design and Mac OS X has a built-in virus scanner. There is no need to run additional software as none of it would've stopped this exploit short of disabling Java (which was also lauded as secure by design/sandboxing)
Re: (Score:1, Insightful)
>Java
>secure
Choose one
Re: (Score:3)
You mean something like this?
http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx [sophos.com]
Re: (Score:2)
Virus scanners on Windows catch Java exploits! Having a virus scanner technology could have prevented this.
Sure. Virus scanners can catch 0-day vulnerabilities. Whatever you say.
Re:That's Impossible! (Score:5, Funny)
I think you've got Mac OS X mixed up with OpenBSD.
Re:That's Impossible! (Score:5, Informative)
Trojan != Virus for the love of god trolls, please learn this. I am sooo tired of hearing trojans being called viruses. They're both "malware", but that's where it ends.
Anyway, this is why Apple is getting really sick and tired of Flash and Java, they've been the top two security thorns in their side for the last decade. Feeding the Apple bashers and giving Apple a bad rap. Apple doesn't write the flash or java interpreters, they don't have much control over the code monkeys at oracle and adobe.
Re: (Score:2, Insightful)
Let's be honest here. Apple doesn't dislike Flash and Java because of security. They dislike them because people can use them to play games and use apps without Apple getting their 30% cut.
Re: (Score:2)
On OS X, I can purchase/download a game from a third party maker, and be off and running. In fact, there are a few utilities (InsomniaX) that are not up for sale in Apple's store due to doing low level kernel functions.
Now, iOS is a different story. Without a JB, one is forced to go through iTunes (beta apps, or enterprise apps) or they go through the App Store. However, this doesn't apply to OS X.
Re: (Score:2, Insightful)
On OS X, I can purchase/download a game from a third party maker, and be off and running.
For now.
Give it a few more releases (assuming Apple still thinks they're on top of the world then). They'll make it harder and harder to do just that, until finally you're jailbreaking your laptop to install programs. And you'll just treat that as standard operating procedure.
Re: (Score:2)
If the App Store became a requirement, then they would be forced to stop.
They would also be forced to give Apple a 30% cut of their sales and let Apple and Apple only decide if their software was "appropriate" for your computer.
Re:That's Impossible! (Score:5, Interesting)
They don't like it because you have to run an update twice a week to keep up with the latest exploits found in flash and java. IF oracle/adobe were generous enough to roll up an update this week for the new exploits.
And the boneheads at oracle kept insisting on rolling up whole new installers most of the time, that would only work if you had the previous version installed. (installer or updater make up your mind!) So you'd install vers 10, then 11, then 12, then 12.1, then 13, then 14, most of which were 55-56mb each. Idiots. Java needs to die in a fire. And I'll bring the marshmallows.
It's not entirely oracle and adobe's fault though really... they're just keeping it up because devs keep using it. I'll admit it, writing games in flash (or java) is pretty quick and easy. But quick-n-easy comes at a price, a price to the users
Re: (Score:2)
Let's be honest here. Apple doesn't dislike Flash and Java because of security. They dislike them because people can use them to play games and use apps without Apple getting their 30% cut.
Yes, because Apple had an app store in 2007 when the first iPhone came out without Flash support. Even after the store came around, all those free apps though... 30% of nothing is—let me do the math here. Nothing into nothin'. Carry the nothin'...
Let's be honest here. Apple doesn't like Flash and Java IN PART because people could then use them to play games and use apps without Apple getting a 30% cut, IN PART because of security issues, and IN PART because the user experience on mobile for existing c
Re: (Score:3)
Of course they can, especially when the hacked software was an installed copy or Oracle's version of Java.
Re: (Score:1)
Well, to be fair, it is a *different* virus... :)
Re: (Score:2)
It says it was Oracle Java, and Oracle does not provide Java 6 for OS X so it must have been Java 7.